Re-encryption device, cryptographic system, re-encryption method, and computer readable medium

ABSTRACT

An encryption device ( 30 ) generates a session key K and a ciphertext ct S  in which the session key K is encrypted that are generated by an encryption algorithm using as input attribute information S. A re-encryption key generation device ( 40 ) generates a re-encryption key rk including a converted decryption key sk Γ   ˜  generated by setting a random number r in a decryption key sk Γ  with which the ciphertext ct S  can be decrypted, a session key K′ and a ciphertext ct S′  that are generated by the encryption algorithm using as input attribute information S′, and conversion information generated from the random number r. A re-encryption device ( 50 ) outputs a re-encrypted ciphertext rct S′  including the ciphertext ct S′  and a cipher element K ˜  generated by deleting an element related to the random number r by the conversion information from decryption information K{circumflex over ( )} obtained by decrypting the ciphertext ct S  with the converted decryption key sk Γ   ˜  and setting the session key K′.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of PCT International Application No. PCT/JP2020/023680, filed on Jun. 17, 2020, all of which is hereby expressly incorporated by reference into the present application.

TECHNICAL FIELD

The present disclosure relates to a proxy re-encryption (PRE) technique in functional encryption or attribute-based encryption in which an access range can be set.

BACKGROUND ART

PRE is a system in which a decryption authority for a ciphertext is transferred to another person without decrypting the ciphertext.

Non-Patent Literature 1 describes a scheme of PRE in attribute-based encryption (attribute-based PRE, ABPRE). Non-Patent Literature 2 describes a scheme of attribute-based encryption in which a specific user can make any attribute change (adaptable attribute-based encryption, Ad-PRE). Patent Literature 1 describes a PRE scheme in which an increase in the data size of a ciphertext when being re-encrypted is reduced in comparison with Non-Patent Literature 1 and Non-Patent Literature 2.

CITATION LIST Patent Literature

Patent Literature 1: WO 2015-107620 A1

Non-Patent Literature

Non-Patent Literature 1: Song Luo, Jianbin Hu, and Zhong Chen “Ciphertext Policy Attribute-Based Proxy Re-encryption”

Non-Patent Literature 2: Junzuo Lai and Robert H. Deng and Yanjiang Yang and Jian Weng. “Adaptable Ciphertext-Policy Attribute-Based Encryption”

SUMMARY OF INVENTION Technical Problem

In the PRE scheme described in Non-Patent Literature 1, a problem is that the data size of a ciphertext increases each time re-encryption is performed. Specifically, when re-encryption is performed N times, the data size of a ciphertext increases by a size in proportion to N. Therefore, there is a convenience-related problem that if re-encryption is performed repeatedly, the data size of a ciphertext may exceed a size that is determined by the system.

When data is decrypted once and then re-encrypted, data that has been increased can be deleted. However, decrypting the data once causes the data to return to a plaintext once, so that there is a problem in terms of security.

In the PRE scheme described in Non-Patent Literature 2, an entity with a specific high-level authority can freely change an access range for any ciphertext. However, since the access range for any ciphertext can be changed in any way, there is a problem in terms of security.

In the PRE scheme described in Patent Literature 1, an increase in the data size of a ciphertext when being re-encrypted can be suppressed. However, the data size of a ciphertext increases in proportion to the number of times re-encryption is performed, as in Non-Patent Literature 1 and Non-Patent Literature 2.

An object of the present disclosure is to make it possible to make the data size of a ciphertext generated by re-encryption not dependent on the number of times re-encryption is performed.

Solution to Problem

A re-encryption device according to the present disclosure includes a ciphertext acquisition unit to acquire a ciphertext ct_(S) out of a session K and the ciphertext ct_(S), the session key K being generated by an encryption algorithm using as input attribute information S that defines a range to be permitted decryption, the ciphertext ct_(S) being a ciphertext in which the session key K is encrypted;

a key acquisition unit to acquire a re-encryption key rk including a converted decryption key sk_(Γ) ^(˜) that is generated by setting a random number r in a decryption key sk_(Γ) with which the ciphertext ct_(S) can be decrypted, a session key K′ and a ciphertext ct_(S′) in which the session key K′ is encrypted that are generated by the encryption algorithm using as input attribute information S′ that defines a range to be permitted decryption, and conversion information that is generated from the random number r;

a re-encrypted ciphertext generation unit to generate a cipher element K^(˜) by deleting an element related to the random number r by the conversion information from decryption information K{circumflex over ( )} and setting the session key K′, the decryption information K{circumflex over ( )} being obtained by decrypting the ciphertext ct_(S) with the converted decryption key sk_(Γ) ^(˜) included in the re-encryption key rk; and

an output unit to output a re-encrypted ciphertext rct_(S′) including the cipher element K^(˜) and the ciphertext ct_(S′).

Advantageous Effects of Invention

In the present disclosure, a re-encrypted ciphertext rct_(S′) includes a cipher element K^(˜) that is generated from a session key K and a session key K′ and includes a ciphertext ct_(S′). The session key K′ is generated by decrypting the ciphertext ct_(S′) with a decryption key sk_(Γ′), and the session key K can be generated from the cipher element K^(˜) and the session key K′.

Also when a ciphertext ct_(S′) is handled as a ciphertext ct_(S) to generate a re-encrypted ciphertext rct_(S′), a similar re-encrypted ciphertext rct_(S′) is output and a session key K can be generated similarly.

Therefore, it is possible to make the data size of a ciphertext generated by re-encryption not dependent on the number of times re-encryption is performed.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an explanatory drawing of a matrix M{circumflex over ( )} according to a first embodiment;

FIG. 2 is an explanatory drawing of a matrix M_(δ) according to the first embodiment;

FIG. 3 is an explanatory drawing of s₀ according to the first embodiment;

FIG. 4 is an explanatory drawing of s^(→T) according to the first embodiment;

FIG. 5 is a configuration diagram of a cryptographic system 100 according to the first embodiment;

FIG. 6 is a configuration diagram of a common parameter generation device 10 according to the first embodiment;

FIG. 7 is a configuration diagram of a user secret key generation device 20 according to the first embodiment;

FIG. 8 is a configuration diagram of an encryption device 30 according to the first embodiment;

FIG. 9 is a configuration diagram of a re-encryption key generation device 40 according to the first embodiment;

FIG. 10 is a configuration diagram of a re-encryption device 50 according to the first embodiment;

FIG. 11 is a configuration diagram of a decryption device 60 according to the first embodiment;

FIG. 12 is a flowchart illustrating operation of the common parameter generation device 10 according to the first embodiment;

FIG. 13 is a flowchart illustrating operation of the user secret key generation device 20 according to the first embodiment;

FIG. 14 is a flowchart illustrating operation of the encryption device 30 according to the first embodiment;

FIG. 15 is a flowchart illustrating operation of the re-encryption key generation device 40 according to the first embodiment;

FIG. 16 is a flowchart illustrating operation of the re-encryption device 50 according to the first embodiment;

FIG. 17 is a flowchart illustrating operation of the decryption device 60 when a ciphertext ct_(S) is decrypted according to the first embodiment; and

FIG. 18 is a flowchart illustrating operation of the decryption device 60 when a re-encrypted ciphertext rct_(S′) is decrypted according to the first embodiment.

DESCRIPTION OF EMBODIMENTS First Embodiment

***Preliminaries***

<Description of Notations>

When A is a random variable or distribution, Formula 101 denotes that y is randomly selected from A according to the distribution of A. That is, y is a random number in Formula 101.

$\begin{matrix} {y\overset{R}{\longleftarrow}A} & \left\lbrack {{Formula}101} \right\rbrack \end{matrix}$

When A is a set, Formula 102 denotes that y is uniformly selected from A. That is, y is a uniform random number in Formula 102.

$\begin{matrix} {y\overset{U}{\longleftarrow}A} & \left\lbrack {{Formula}102} \right\rbrack \end{matrix}$

Formula 103 denotes that y is a set defined by z or y is a set substituted by z.

y:=z  [Formula 103]

When a is a constant, Formula 104 denotes that a machine (algorithm) A outputs a on input x.

A(x)→a  [Formula 104]

for example,

A(x)→1

Formula 105, namely F_(q), denotes a finite field of order q.

  [Formula 105]

Formula 106 is represented as Formula 107.

_(q)\{0}  [Formula 106]

_(q) ^(x)  [Formula 107]

A vector representation denotes a vector over the finite field F_(q). That is, this is as indicated in Formula 108.

{right arrow over (x)} denotes

(x ₁ , . . . ,x _(n))∈

_(q) ^(n).  [Formula 108]

Note that X^(T) denotes the transpose of a matrix X.

An element in a vector space of Formula 109 is represented as Formula 110.

  [Formula 109]

x∈

  [Formula 110]

In the case of Formula 111, a subspace formed by b_(i), . . . , b_(n) is represented as Formula 112.

b _(i)∈

(i=1, . . . ,n)  [Formula 111]

span<b ₁ , . . . ,b _(n)>⊆

  [Formula 112]

Formula 113 denotes the inner-product, indicated in Formula 115, of two vectors x^(→) and v^(→) indicated in Formula 114.

{right arrow over (x)}·{right arrow over (v)}  [Formula 113]

{right arrow over (x)}=(x ₁ , . . . ,x _(n)),

{right arrow over (v)}=(v ₁ , . . . ,v _(n))  [Formula 114]

Σ_(i=1) ^(n) x _(i) v _(i)  [Formula 115]

For a basis B and a basis B* indicated in Formula 116, Formula 117 is established.

:=(b ₁ , . . . ,b _(N)),

*:=(b ₁ *, . . . ,b _(N)*)  [Formula 116]

:=Σ_(i=1) ^(N) x _(i) b _(i),

:=Σ_(i=1) ^(N) y _(i) b _(i)*  [Formula 117]

Note that e^(→) _(j) denotes a normal basis vector indicated in Formula 118.

$\begin{matrix} {{{{{\overset{\rightarrow}{e}}_{j}:\left( {\overset{\underset{︷}{j - 1}}{0\ldots 0},1,\overset{\underset{︷}{n - j}}{0\ldots 0}} \right)} \in {{\mathbb{F}}_{q}^{n}{for}j}} = 1},\ldots,n,} & \left\lbrack {{Formula}118} \right\rbrack \end{matrix}$

GL(n, F_(q)) represents a general linear group of dimension n over the finite field F_(q).

For a matrix W indicated in Formula 119 and an element g in an n-dimensional vector space V indicated in Formula 120, Formula 121 is defined.

W:=(w _(i,j))_(i,j=1, . . . ,n) ∈F _(q) ^(n×n)  [Formula 119]

g:=(G ₁ , . . . ,G _(n))  [Formula 120]

gW:=(Σ_(i=1) ^(n) G _(i) w _(i,1), . . . ,Σ_(i=1) ^(n) G _(i) w _(i,n))=(Σ_(i=1) ^(n) w _(i,1) G _(i), . . . ,Σ_(i−1) ^(n) w _(i,n) G _(i))  [Formula 121]

<Symmetric Bilinear Pairing Groups>

Symmetric bilinear pairing groups (q, G, G_(T), g, e) are a tuple of a prime q, a cyclic additive group G of order q, a cyclic multiplicative group G_(T) of order q, g≠0∈G, and a polynomial-time computable nondegenerate bilinear map e: G×G→G_(T). The bilinear map signifies e(sg, tg)=e(g, g)^(st), and e(g, g)≠1.

In the following description, let G_(bpg) be an algorithm that takes as input 1^(λ) and outputs values of a parameter param_(G):=(q, G, G_(T)r, g, e) of bilinear pairing groups with a security parameter 1^(λ).

<Dual Pairing Vector Spaces>

Dual pairing vector spaces (q, V, G_(T), A, e) can be constructed by a direct product of the symmetric bilinear pairing groups (param_(G):=(q, G, G_(T), g, e)). The dual pairing vector spaces (q, V, G_(T), A, e) are a tuple of a prime q, an N-dimensional vector space V over F_(q) indicated in Formula 122, a cyclic group G_(T) of order q, a canonical basis A:=(a₁, . . . , a_(N)) of the space V, and a paring operation e indicated in Formula 123. Note that a_(i) is as indicated in Formula 124.

$\begin{matrix} {{\mathbb{V}}:=\overset{\underset{︷}{N}}{{\mathbb{G}} \times \ldots \times {\mathbb{G}}}} & \left\lbrack {{Formula}122} \right\rbrack \end{matrix}$ $\begin{matrix} \left. {e:{\mathbb{V}} \times {\mathbb{V}}}\rightarrow{\mathbb{G}}_{T} \right. & \left\lbrack {{Formula}123} \right\rbrack \end{matrix}$ $\begin{matrix} {a_{i}:=\left( {\overset{\underset{︷}{i - 1}}{0,\ldots,0},g,\overset{\underset{︷}{N - i}}{0,\ldots,0}} \right)} & \left\lbrack {{Formula}124} \right\rbrack \end{matrix}$

A pairing in the space V is defined by Formula 125.

This is nondegenerate. That is, e(sx, ty)=e(x, y)^(st) and if e(x, y)=1 for all y∈V, then x=0. For all i and j, e(a_(i), a_(j))=e(g, g)^(δi,j), where δi,j=1 if i=j, and δi,j=0 if i≠J, and e(g, g)≠1∈G_(T).

e(x,y):=Π_(i=1) ^(N) e(G _(i) ,H _(i))∈

_(T)  [Formula 125]

where

(G ₁ , . . . ,G _(N)):=x∈

,

(H ₁ , . . . ,H _(N)):=y∈

.

In the following description, let G_(dpvs) be an algorithm that takes as input 1^(λ) (λ∈natural numbers), N∈natural numbers, and the values of the parameter param_(G): =(q, G, G_(T), g, e) of bilinear pairing groups, and outputs values of a parameter param_(V):=(q, V, G_(T), A, e) of dual pairing vector spaces of the N-dimensional vector space V with a security parameter λ.

<Attribute-Based Encryption for Non-Monotone Access Structure>

Attribute-based encryption is an encryption scheme in which the functions of pubic key encryption or identifier (ID)-based encryption are extended. ABE is public key encryption in which an attribute set Γ is set in one of a ciphertext and a decryption key and an access structure S for the entirety of attributes is set in the other of the ciphertext and the decryption key, and decryption is possible if and only if the attribute set Γ satisfies the access structure S.

ABE in which an access structure is set in a ciphertext is called ciphertext policy attribute-based encryption (CP-ABE), and ABE in which an access structure is set in a decryption key is called key policy attribute-based encryption (KP-ABE). In a first embodiment, CP-ABE will be described. However, it is easy to convert CP-ABE into KP-ABE. In ABE, a conditional expression using logical sum (OR) and logical conjunction (AND) can be set as an access structure. This allows an access right such as “division A and at least section manager” to be set, so that CP-ABE is considered useful for secure file sharing in a company and so on.

<Span Program and Non-Monotone Access Structure>

Referring to FIG. 1 , a matrix M{circumflex over ( )} will be described.

Let {p₁, . . . , p_(n)} be a set of variables. M{circumflex over ( )}:=(M, ρ) is a labeled matrix. The matrix M is an (L rows×r columns) matrix over F_(q), and ρ is a label of columns of the matrix M and is related to one of literals {p₁, . . . , p_(n), ¬p₁, . . . , ¬p_(n)}. A label ρ_(i) (i=1, . . . , L) of each row of M is related to one of the literals. That is, ρ: {1, . . . , L}→{p₁, . . . ,p_(n), ¬p₁, . . . , ¬p_(n)}.

For every input sequence δ∈{0, 1}^(n), a submatrix M_(δ) of the matrix M is defined. The matrix M_(δ) is a submatrix consisting of those rows of the matrix M the labels ρ of which are related to a value “1” by the input sequence δ. That is, the matrix M_(δ) is a submatrix consisting of the rows of the matrix M which are related to p_(i) such that δ_(i)=1 and the rows of the matrix M which are related to ¬p_(i) such that δ_(i)=0.

Referring to FIG. 2 , the matrix M_(δ) will be described. Note that n=7, L=6, and r=5 in FIG. 2 . That is, the set of variables is {p₁, . . . , p₇}, and the matrix M is a (6 rows×5 columns) matrix. In FIG. 2 , it is assumed that the labels p are related such that ρ₁ is related to ¬p₂, ρ₂ to p₁, ρ₃ to p₄, ρ₄ to ¬p₅, ρ₅ to ¬p₃, and ρ₆ to p₅.

It is assumed that in an input sequence δ∈{0, 1}⁷, δ₁=1, δ₂=0, δ₃=1, δ₄=0, δ₅=0, δ₆=1, and δ₇=1. In this case, a submatrix consisting of the rows of the matrix M which are related to literals (p₁, p₃, p₆, p₇, ¬p₂, ¬p₄, ¬p₅) surrounded by broken lines is the matrix M_(δ). That is, the submatrix consisting of the first row (M₁), second row (M₂), and fourth row (M₄) of the matrix M is the matrix M_(δ).

In other words, if map γ: {1, . . . , L}→{0, 1} is [ρ(j)=p_(i)]∧[δ_(i)=1] or [ρ(j)=¬p_(i)]∧[δ_(i)=0], then γ(j)=1; otherwise γ(j)=0. In this case, M_(δ):=(M_(j))_(γ(j)=1). Note that M_(j) is the i-th row of the matrix M.

That is, in FIG. 2 , map γ(j)=1 (j=1, 2, 4), and map γ(j)=0 (j=3, 5, 6). Hence, (M_(j))_(γ(j)=1) is M₁, M₂, and M₄, and is the matrix M_(δ).

More specifically, whether or not the j-th row of the matrix M is included in the matrix M_(δ) is determined by whether the value of the map γ(j) is “0” or “1”.

A span program M{circumflex over ( )} accepts an input sequence δ if and only if 1^(→)∈span<M_(δ)>, and rejects the input sequence δ otherwise. That is, the span program M{circumflex over ( )} accepts the input sequence δ if and only if a linear combination of the rows of the matrix M_(δ) that are obtained from the matrix M{circumflex over ( )} by the input sequence δ gives 1^(→). Note that 1^(→) is a row vector that has a value “1” in each element.

For example, in an example of FIG. 2 , the span program M{circumflex over ( )} accepts the input sequence δ if and only if a linear combination of the respective rows of the matrix M_(δ) consisting of the first, second, and fourth rows of the matrix M gives 1^(→). That is, if there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), the span program M{circumflex over ( )} accepts the input sequence δ.

The span program is called monotone if its labels p are related to only positive literals {p₁, . . . , p_(n)}. The span program is called non-monotone if its labels ρ are related to the literals {p₁, . . . , p_(n), ¬p₁, . . . , ¬p_(n)}. It is assumed here that the span program is non-monotone. An access structure (non-monotone access structure) is constructed using the non-monotone span program. Briefly, an access structure controls access to encryption. That is, it controls whether a ciphertext can be decrypted or not.

<Inner-Product of Attribute Information and Access Structure>

The above-described map γ(j) is calculated using an inner-product of attribute information. That is, the inner-product of attribute information is used to determine which rows of the matrix M are to be included in the matrix M_(δ).

U_(t) (t=1, . . . , d and U_(t) ⊂{0, 1}*) is a sub-universe and a set of attributes. Each U_(t) includes identification information (t) of the sub-universe and an n-dimensional vector (v^(→)). That is, U_(t) is (t, v^(→)), where t∈{1, . . . , d} and v^(→)∈F_(q) ^(n).

Let U_(t):=(t, v^(→)) be a variable p in a span program M{circumflex over ( )}:=(M, ρ). That is, p:=(t, v^(→)). Let the span program M{circumflex over ( )}:=(M, ρ) with the variable (p:=(t, v^(→)), (t, v′^(→)), . . . ) be an access structure S.

That is, the access structure S:=(M, ρ) and ρ:{1, . . . , L}→{(t, v^(→)), (t, v′^(→)), . . . , ¬(t, v^(→)), ¬(t, v′^(→)), . . . }.

Next, let Γ be an attribute set. That is, Γ:={(t, x^(→) _(t))|x^(→) _(t) ∈F_(q) ^(n), 1≤t≤d}.

When Γ is given to the access structure S, a map γ: {1, . . . , L}→{0, 1} for the span program M{circumflex over ( )}:=(M, ρ) is defined as described below. If [ρ(i)=(t, v^(→) _(i))]∧[(t, x^(→) _(t))∈Γ]∧[v^(→) _(i)·x^(→) _(t)=0] or [ρ(i)=¬(t, v^(→) _(i))]∧[(t, x^(→) _(t))∈Γ]∧[v^(→) _(i)·x^(→) _(t)≠0] for each integer i of i=1, . . . , L, then γ(j)=1, and otherwise γ(j)=0.

That is, the map γ is calculated based on the inner-product of the attribute information v^(→) and x^(→). Then, which rows of the matrix M are to be included in the matrix M_(δ) is determined by the map γ, as described above. That is, which rows of the matrix M are to be included in the matrix M_(δ) is determined by the inner-product of the attribute information v^(→) and x^(→), and if and only if 1^(→)∈span<(M_(i))_(γ(i)=1)>, the access structure S:=(M, ρ) accepts Γ.

<Secret Distribution Scheme>

Secret distribution in a non-monotone access structure (or span program) will be defined.

The secret distribution scheme is distributing secret information to render it nonsense distributed information. For example, secret information s is distributed into 10 pieces to generate 10 pieces of distributed information. Each of the 10 pieces of distributed information does not have information on the secret information s. Hence, even when one of the pieces of distributed information is obtained, no information can be obtained on the secret information s. On the other hand, if all of the 10 pieces of distributed information are obtained, the secret information s can be recovered.

There is another secret distribution scheme according to which the secret information s can be recovered if some (for example, 8 pieces) of distributed information can be obtained, without obtaining all of the 10 pieces of distributed information. A case like this where the secret information s can be recovered using 8 pieces out of 10 pieces of distributed information is called 8-out-of-10. That is, a case where the secret information s can be recovered using t pieces out of n pieces of distributed information is called t-out-of-n. This t is called a threshold value.

There is still another secret distribution scheme according to which when 10 pieces of distributed information d₁, . . . , d₁₀ are generated, the secret information s can be recovered with 8 pieces of distributed information d₁, . . . , d₈, but the secret information s cannot be recovered with 8 pieces of distributed information d₃, . . . , d₁₀. In other words, there is also a secret distribution scheme according to which whether or not the secret information s can be recovered is controlled not only by the number of pieces of distributed information obtained, but also the combination of distributed information obtained.

Referring to FIG. 3 , so will be described. Referring to FIG. 4 , s^(→T) will be described.

Let a matrix M be an (L rows×r columns) matrix. Let f^(→T) be a column vector indicated in Formula 126.

$\begin{matrix} {{\overset{\rightarrow}{f}}^{T}:={\left( {f_{1},{\ldots f_{r}}} \right)^{T}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{r}}} & \left\lbrack {{Formula}126} \right\rbrack \end{matrix}$

Let s₀ indicated in Formula 127 be secret information to be shared.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T):=Σ_(k=1) ^(r) f _(k)  [Formula 127]

Let s^(→T) indicated in Formula 128 be a vector of L pieces of distributed information of s₀.

{right arrow over (s)} ^(T):=(s ₁ , . . . s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 128]

It is assumed that distribution information s_(i) belongs to ρ(i).

If the access structure S:=(M, ρ) accepts Γ, that is, if 1^(→)∈span<(M_(i))_(γ(i)=1)> for γ: {1, . . . , L}→{0, 1}, then there exist constants {α_(i) ∈F_(q)|i∈I} such that I⊆{i∈{1, . . . , L}|γ(i)−=1}.

This is obvious from the explanation about the example of FIG. 2 that if there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), the span program M{circumflex over ( )} accepts the input sequence δ. That is, if the span program M{circumflex over ( )} accepts the input sequence δ when there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), then there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→).

Note Formula 129.

Σ_(i∈I)α_(i) s _(i) :=s ₀  [Formula 129]

Note that constants {α_(i)} are computable in time polynomial in the size of the matrix M.

***Description of Configurations***

Referring to FIG. 5 , a configuration of a cryptographic system 100 according to the first embodiment will be described.

The cryptographic system 100 includes a common parameter generation device 10, user secret key generation devices 20, encryption devices 30, a re-encryption key generation device 40, a re-encryption device 50, and a decryption device 60.

The common parameter generation device 10, each of the user secret key generation devices 20, the re-encryption key generation device 40, each of the encryption devices 30, the re-encryption device 50, and the decryption device 60 are connected through a transmission line 70. A specific example of the transmission line 70 is the Internet or a local area network (LAN).

Referring to FIG. 6 , a configuration of the common parameter generation device 10 according to the first embodiment will be described.

The common parameter generation device 10 is a computer.

The common parameter generation device 10 includes hardware of a processor 11, a memory 12, a storage 13, an a communication interface 14. The processor 11 is connected with other hardware components through signal lines and controls these other hardware components.

The common parameter generation device 10 includes, as functional components, an acquisition unit 111, a parameter generation unit 112, and an output unit 113. The functions of the functional components of the common parameter generation device 10 are realized by software.

The storage 13 stores programs that realize the functions of the functional components of the common parameter generation device 10. These programs are read into the memory 12 by the processor 11 and executed by the processor 11. This realizes the functions of the functional components of the common parameter generation device 10.

Referring to FIG. 7 , a configuration of the user secret key generation device 20 according to the first embodiment will be described.

The user secret key generation device 20 is a computer.

The user secret key generation device 20 includes hardware of a processor 21, a memory 22, a storage 23, and a communication interface 24. The processor 21 is connected with other hardware components through signal lines and controls these other hardware components.

The user secret key generation device 20 includes, as functional components, an acquisition unit 211, a user secret key generation unit 212, and an output unit 213.

The functions of the functional components of the user secret key generation device 20 are realized by software.

The storage 23 stores programs that realize the functions of the functional components of the user secret key generation device 20. These programs are read into the memory 22 by the processor 21 and executed by the processor 21. This realizes the functions of the functional components of the user secret key generation device 20.

Referring to FIG. 8 , a configuration of the encryption device 30 according to the first embodiment will be described.

The encryption device 30 is a computer.

The encryption device 30 includes hardware of a processor 31, a memory 32, a storage 33, and a communication interface 34. The processor 31 is connected with other hardware components through signal lines and controls these other hardware components.

The encryption device 30 includes, as functional component, an acquisition unit 311, a ciphertext generation unit 312, and an output unit 313. The functions of the functional components of the encryption device 30 are realized by software.

The storage 33 stores programs that realize the functions of the functional components of the encryption device 30. These programs are read into the memory 32 by the processor 31 and executed by the processor 31. This realizes the functions of the functional components of the encryption device 30.

Referring to FIG. 9 , a configuration of the re-encryption key generation device 40 according to the first embodiment will be described.

The re-encryption key generation device 40 is a computer.

The re-encryption key generation device 40 includes hardware of a processor 41, a memory 42, a storage 43, and a communication interface 44. The processor 41 is connected with other hardware components through signal lines and controls these other hardware components.

The re-encryption key generation device 40 includes, as functional components, an acquisition unit 411, a re-encryption key generation unit 412, and an output unit 413. The functions of the functional components of the re-encryption key generation device 40 are realized by software.

The storage 43 stores programs that realize the functions of the functional components of the re-encryption key generation device 40. These programs are read into the memory 42 by the processor 41 and executed by the processor 41. This realizes the functions of the functional components of the re-encryption key generation device 40.

Referring to FIG. 10 , a configuration of the re-encryption device 50 according to the first embodiment will be described.

The re-encryption device 50 is a computer.

The re-encryption device 50 includes hardware of a processor 51, a memory 52, a storage 53, and a communication interface 54. The processor 51 is connected with other hardware components through signal lines and controls these other hardware components.

The re-encryption device 50 includes, as functional components, an acquisition unit 511, a re-encrypted ciphertext generation unit 512, and an output unit 513. The acquisition unit 511 includes a ciphertext acquisition unit 514 and a key acquisition unit 515. The functions of the functional components of the re-encryption device 50 are realized by software.

The storage 53 stores programs that realize the functions of the functional components of the re-encryption device 50. These programs are read into the memory 52 by the processor 51 and executed by the processor 51. This realizes the functions of the functional components of the re-encryption device 50.

Referring to FIG. 11 , a configuration of the decryption device 60 according to the first embodiment will be described.

The decryption device 60 is a computer.

The decryption device 60 includes a hardware of a processor 61, a memory 62, a storage 63, and a communication interface 64. The processor 61 is connected with other hardware components through signal lines and controls these other hardware components.

The decryption device 60 includes, as functional components, an acquisition unit 611, a decryption unit 612, and an output unit 613. The functions of the functional components of the decryption device 60 are realized by software.

The storage 63 stores programs that realize the functions of the functional components of the decryption device 60. These programs are read into the memory 62 by the processor 61 and executed by the processor 61. This realizes the functions of the functional components of the decryption device 60.

Each of the processors 11, 21, 31, 41, 51, and 61 is an integrated circuit (IC) that performs processing. Specific examples of each of the processors 11, 21, 31, 41, 51, and 61 are a central processing unit (CPU), a digital signal processor (DSP), and a graphics processing unit (GPU).

Each of the memories 12, 22, 32, 42, 52, and 62 is a storage device to temporarily store data. Specific examples of each of the memories 12, 22, 32, 42, 52, and 62 are a static random access memory (SRAM) and a dynamic random access memory (DRAM).

Each of the storages 13, 23, 33, 43, 53, and 63 is a storage device to store data. A specific example of each of the storages 13, 23, 33, 43, 53, and 63 is a hard disk drive (HDD). Alternatively, each of the storages 13, 23, 33, 43, 53, and 63 may be a portable recording medium such as a Secure Digital (SD, registered trademark) memory card, CompactFlash (CF, registered trademark), a NAND flash, a flexible disk, an optical disc, a compact disc, a Blu-ray (registered trademark) disc, or a digital versatile disc (DVD).

Each of the communication interfaces 14, 24, 34, 44, 54, and 64 is an interface for communicating with external devices. Specific examples of each of the communication interfaces 14, 24, 34, 44, 54, and 64 is an Ethernet (registered trademark) port, a Universal Serial Bus (USB) port, and a High-Definition Multimedia Interface (HDMI, registered trademark) port.

FIG. 6 illustrates only one processor 11. However, a plurality of processors 11 may be included, and the plurality of processors 11 may cooperatively execute the programs that realize the respective functions.

Similarly, a plurality of processors 21, a plurality of processors 31, a plurality of processors 41, a plurality of processors 51, and a plurality of processors 61 may be included, and the plurality of processors 21, the plurality of processors 31, the plurality of processors 41, the plurality of processors 51, and the plurality of processors 61 may cooperatively execute the programs that realize the respective functions.

***Description of Operation***

Referring to FIGS. 12 to 18 , operation of the cryptographic system 100 according to the first embodiment will be described.

The cryptographic system 100 according to the first embodiment realizes AB-PRE. A key encapsulation mechanism (KEM)-data encapsulation mechanism (DEM) framework is assumed here and an example in which AB-PRE is used as KEM will be described.

AB-PRE includes a Setup algorithm, a KG algorithm, an RKG algorithm, an Enc algorithm, an REnc algorithm, and a Dec algorithm.

The Setup algorithm is a probabilistic algorithm that takes as input a security parameter 1^(λ) and space information n^(→) and outputs a public key pk and a master secret key msk.

The KG algorithm is a probabilistic algorithm that takes as input the public key pk, the master secret key msk, and attribute information Γ, and outputs a decryption key sk_(Γ).

The Enc algorithm is a probabilistic algorithm that takes as input the public key pk and attribute information S, and outputs a ciphertext ct_(S) and a session key K.

The RKG algorithm is a probabilistic algorithm that takes as input the public key pk, the decryption key sk_(Γ) and attribute information S′, and outputs a re-encryption key rk.

The REnc algorithm is a probabilistic algorithm that takes as input the public key pk, the re-encryption key rk, and the ciphertext ct_(S), and outputs a re-encrypted ciphertext rct_(S′).

The Dec algorithm is a deterministic algorithm that takes as input the public key pk, the decryption key sk_(Γ), and one of the ciphertext ct_(S) and the re-encrypted ciphertext rct_(S′), and outputs the session key K.

In the first embodiment, the attribute information S and the attribute information S′ are equivalent to the access structure S:=(M, ρ) described above.

Referring to FIG. 12 , operation of the common parameter generation device 10 according to the first embodiment will be described.

A procedure for the operation of the common parameter generation device 10 according to the first embodiment is equivalent to a common parameter generation method according to the first embodiment. A program that realizes the operation of the common parameter generation device 10 according to the first embodiment is equivalent to a common parameter generation program according to the first embodiment.

The common parameter generation device 10 executes the Setup algorithm.

(Step S11: Acquisition Process)

The acquisition unit 111 acquires a security parameter 1^(λ) and space information n^(→):=(d; n₁, . . . , n_(d)).

Specifically, the acquisition unit 111 acquires the security parameter 1^(λ) and the space information n^(→) that are input by an administrator or the like of the cryptographic system 100 via the communication interface 14. The acquisition unit 111 writes the security parameter 1^(λ) and the space information n^(→) in the memory 12. The space information n^(→) is a parameter that determines a configuration such as the number of dimensions of dual pairing vector spaces used by the cryptographic system 100.

(Step S12: Parameter Generation Process)

The parameter generation unit 112 generates a public key pk and a master secret key msk, using as input the security parameter 1^(λ) and the space information n^(→) acquired in step S11.

Specifically, the parameter generation unit 112 executes an algorithm Gob indicated in Formula 130, using as input the security parameter 1^(λ) and the space information n^(→), so as to generate param_(n), an element g_(t), and bases {B_(t), B*_(t)}_(t=0, . . . , d).

[Formula 130]  (param_(n), g_(t), ( 

_(t),

_(t) ^(*))_(t=0,...,d)) ← G_(ob)(1^(λ), {right arrow over (n)} = (d; n₁, . . . , n_(d)))  where  G_(ob)(1^(λ), {right arrow over (n)} = (d; n₁, . . . , n_(d)))   param_(G) := (q,

,

_(t), g, e) ← G_(bpg)(1^(λ)),    ${N_{0}:=6},{N_{t}:={{{3n_{t}} + {1{for}t}} = 1}},{...},d,{\psi\overset{U}{\leftarrow}{\mathbb{F}}_{q}^{x}},{g_{T} = {e\left( {g,g} \right)}^{\psi}},$   for t = 0, . . . , d,     ${param}_{{\mathbb{V}}_{t}}:=\left( {q,{\mathbb{V}}_{t},{\mathbb{G}}_{t},{\mathbb{A}}_{t},{e\overset{R}{\leftarrow}{G_{dpvs}\left( {1^{\lambda},N_{t}} \right)}},} \right.$     ${X_{t}:={\begin{pmatrix} {\overset{\rightarrow}{\mathcal{X}}}_{t,1} \\  \vdots \\ {{\overset{\rightarrow}{\mathcal{X}}}_{t},N_{t}} \end{pmatrix}:={\left( \mathcal{X}_{t,i,j} \right)_{i,j}\overset{U}{\leftarrow}{{GL}\left( {N_{t},{\mathbb{F}}_{q}} \right)}}}},$     ${X_{t}:={\begin{pmatrix} {\overset{\rightarrow}{v}}_{t,1} \\  \vdots \\ {{\overset{\rightarrow}{v}}_{t},N_{t}} \end{pmatrix}:={\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}}},$    param_(n), := ({ 

_(t) }_(t=0,) _(. . . ,d)),    b_(t,i) := Σ_(j=1) ^(N) ^(t) χ_(t,i,j)a_(t,j),

_(t) := (b_(t,1), . . . , b_(t,N) _(t) ),    b_(t,i) ^(*) := Σ_(j=1) ^(N) ^(t) v_(t,i,j)a_(t,j),

_(t) ^(*) := (b_(t,1) ^(*), . . . , b_(t,N) _(t) ^(*)),   return param_(n), g_(T), { 

_(t),

_(t) ^(*)}_(t=0, . . . ,d).

The parameter generation unit 112 generates subbases {B{circumflex over ( )}_(t), B{circumflex over ( )}*_(t)}_(t=0, . . . , d) based on the bases {B_(t), B*_(t)}_(t=0, . . . , d) as indicated in Formula 131.

₀:=(b _(0,1) ,b _(0,2) ,b _(0,5)),

_(t):=(b _(t,1) , . . . ,b _(t,n) _(t) ,b _(t,N) _(t) )for t=1, . . . ,d,

*₀:=(b* _(0,1) ,b* _(0,2) ,b* _(0,4)),

*_(t):=(b* _(t,1) , . . . ,b* _(t,n) _(t) ,b* _(t,2n) _(t) ₊₁ , . . . b* _(t,3n) _(t) )for t=1, . . . ,d  [Formula 131]

The parameter generation unit 112 generates an element a, an element A, and an element c, as indicated in Formula 132.

$\begin{matrix} {{a\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{A:=g_{T}^{a}},{\eta\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{c:=\left( {0,0,0,0,\eta,a} \right)_{{\mathbb{B}}_{0}}}} & \left\lbrack {{Formula}132} \right\rbrack \end{matrix}$

The parameter generation unit 112 sets the security parameter 1^(λ), the param_(n), the element g_(t), the subbasis {B{circumflex over ( )}_(t)}_(t=0, . . . ,d), the element A, and the element c in the public key pk. The parameter generation unit 112 sets the subbasis {B{circumflex over ( )}*_(t)}_(t=0, . . . ,d), the element a, and a basis vector b*_(0,6) in the master secret key msk.

(Step S13: Output Process)

The output unit 113 outputs the public key pk and the master secret key msk that are generated in step S12.

Specifically, the output unit 113 transmits the public key pk, via the communication interface 14, to each of the user secret key generation devices 20, each of the encryption devices 30, the re-encryption key generation device 40, the re-encryption device 50, and the decryption device 60. The output unit 113 transmits the master secret key msk to each of the user secret key generation devices 20 via the communication interface 14. At this time, the output unit 113 transmits the master secret key msk after making it confidential by a method such as encryption using an existing encryption algorithm.

Each of the public key pk and the master secret key msk may be stored in a storage medium and sent by postal mail instead of being transmitted via the communication interface 14.

That is, the common parameter generation device 10 executes the Setup algorithm indicated in Formula 133.

[Formula 133]  Setup(1^(λ), {right arrow over (n)} = (d; n₁, . . . n_(d))):   (param_(n), g_(t), ( 

_(t),

_(t) ^(*))_(t=0,...,d)) ← G_(ob)(1^(λ), {right arrow over (n)} = (d; n₁, . . . , n_(d))),   

 ₀ := (b_(0,1), b_(0,2), b_(0,5)),   

 _(t) := (b_(t,1), . . . , b_(t,n) _(t) , b_(t,N) _(t) ) for t = 1, . . . , d,   

 ₀ ^(*) := (b_(0,1) ^(*), b_(0,2) ^(*), b_(0,4) ^(*)),   

 _(t) ^(*) := (b_(t,1) ^(*), . . . , b_(t,n) _(t) ^(*), b_(t,2n) _(t) ₊₁ ^(*), b_(t,3n) _(t) ₊₁ ^(*)) for t = 1, . . . , d,    ${a\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{A:=g_{T}^{a}},$    ${\eta\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{c{: =}\left( {0,0,0,0,\eta,a} \right)_{{\mathbb{B}}_{0}}},$   return pk := (1^(λ), param_(n), g_(t), { 

_(t)}_(t=0, . . . ,d), A, c),   msk := ({ 

_(t) ^(*)}_(t=0, . . . d), a, b_(0,6) ^(*)).

Referring to FIG. 13 , operation of the user secret key generation device 20 according to the first embodiment will be described.

A procedure for the operation of the user secret key generation device 20 according to the first embodiment is equivalent to a user secret key generation method according to the first embodiment. A program that realizes the operation of the user secret key generation device 20 according to the first embodiment is equivalent to a user secret key generation program according to the first embodiment.

The user secret key generation device 20 executes the KG algorithm.

(Step S21: Acquisition Process)

The acquisition unit 211 acquires the public key pk, the master secret key msk, and attribute information Γ:={t, x^(→) _(t)|x^(→) _(t)∈F_(q) ^(nt)\{0^(→)}, 1≤t≤d}.

Specifically, the acquisition unit 211 receives, via the communication interface 24, the public key pk and the master secret key msk that are transmitted by the common parameter generation device 10. The acquisition unit 211 acquires the attribute information F that is input by a user or the like of the user secret key generation device 20 via the communication interface 14. The acquisition unit 211 writes the public key pk, the master secret key msk, and the attribute information Γ in the memory 22.

The attribute information Γ indicates attributes such as a belonging organization and a position of the user of a decryption key sk_(Γ). For example, a type of attribute is assigned to each t, and an attribute of the type assigned to t is set in x^(→) _(t). As a specific example, a belonging company is assigned to t=1, a belonging division is assigned to t=2, a belonging section is assigned to t=3, and a position is assigned to t=4. Then, the company to which the user belongs is set in x^(→) ₁, the division to which the user belongs is set in x^(→) ₂, the section to which the user belongs is set in x^(→) ₃, and the position of the user is set in x^(→) ₄.

(Step S22: User Secret Key Generation Process)

The user secret key generation unit 212 generates the decryption key sk_(Γ), using as input the public key pk, the master secret key msk, and the attribute information Γ that are acquired in step S21.

Specifically, the user secret key generation unit 212 generates random numbers, as indicated in Formula 134.

$\begin{matrix} {\delta,{\varphi_{0}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{{{\overset{\rightarrow}{\varphi}}_{t}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{n_{t}}}{for}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}134} \right\rbrack \end{matrix}$

The user secret key generation unit 212 generates a key element k*₀ and a key element k*_(t) for each t included in the attribute information Γ, as indicated in Formula 135.

$\begin{matrix} {{k_{0}^{*}:=\left( {1,\delta,0,\varphi_{0},0,0} \right)_{{\mathbb{B}}_{0}^{*}}},{k_{t}^{*}:={{\left( {\overset{\underset{︷}{n_{t}}}{\delta{\overset{\rightarrow}{x}}_{t}},\overset{\underset{︷}{n_{t}}}{0^{n_{t}}},\overset{\underset{︷}{n_{t}}}{{\overset{\rightarrow}{\varphi}}_{t}},\overset{\underset{︷}{1}}{0}} \right)_{{\mathbb{B}}_{t}^{*}}{for}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}} & \left\lbrack {{Formula}135} \right\rbrack \end{matrix}$

(Step S23: Output Process)

The output unit 213 outputs, as the decryption key sk_(Γ), the attribute information Γ, the key element k*₀ and the key elements k*_(t) generated in step S22, and the basis vector b*_(0,6).

Specifically, the output unit 213 transmits the decryption key sk_(Γ), via the communication interface 24, to the re-encryption key generation device 40 and the decryption device 60. At this time, the output unit 213 transmits the decryption key sk_(Γ) after making it confidential by a method such as encryption using an existing encryption algorithm.

The decryption key sk_(Γ) may be stored in a storage medium and sent by postal mail instead of being transmitted via the communication interface 24.

That is, the user secret key generation device 20 executes the KG algorithm indicated in Formula 136.

[Formula 136]  KG(pk, msk, Γ := ({(t, {right arrow over (x)}_(t)) | {right arrow over (x)}_(t) ∈

_(q) ^(n) ^(t) \ {{right arrow over (0)}}, 1 ≤ t ≤ d})):    $\delta,{\varphi_{0}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{{{\overset{\rightarrow}{\varphi}}_{0}\overset{U}{\leftarrow}{{\mathbb{F}}_{q}^{n_{t}}{}{{for}{}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)}}} \in \Gamma},$   k₀ ^(*) := (1, δ, 0, φ₀, 0, 0) 

₀ _(*) ,    ${k_{t}^{*}:={{\left. ({\overset{\overset{n_{t}}{︷}}{\delta{\overset{\rightarrow}{x}}_{t}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{i}}{︷}}{{\overset{\rightarrow}{\varphi}}_{t}},\overset{\overset{1}{︷}}{0}} \right)_{{\mathbb{B}}_{t}^{*}}{for}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}},$   return sk_(Γ) := (Γ, k₀ ^(*),

 _(∈Γ), b_(0,6) ^(*)).

Referring to FIG. 14 , operation of the encryption device 30 according to the first embodiment will be described.

A procedure for the operation of the encryption device 30 according to the first embodiment is equivalent to an encryption method according to the first embodiment.

A program that realizes the operation of the encryption device 30 according to the first embodiment is equivalent to an encryption program according to the first embodiment.

The encryption device 30 executes the Enc algorithm.

(Step S31: Acquisition Process)

The acquisition unit 311 acquires the public key pk and attribute information S=(M, p).

Specifically, the acquisition unit 311 receives, via the communication interface 34, the public key pk transmitted by the common parameter generation device 10. The acquisition unit 311 acquires the attribute information S that is input by a user or the like of the encryption device 30 via the communication interface 14. The acquisition unit 311 writes the public key pk and the attribute information S in the memory 32.

The attribute information S indicates a range of attributes to be permitted to decrypt a ciphertext ct_(S). Specifically, the attribute information S indicates the range of attributes to be permitted to decrypt the ciphertext ct_(S), as a conditional expression using logical OR and logical AND.

(Step S32: Ciphertext Generation Process)

The ciphertext generation unit 312 generates the ciphertext ct_(S), using as input the public key pk and the attribute information S that are acquired in step S31.

Specifically, the ciphertext generation unit 312 generates distributed information si for each integer i of i=1, . . . , L and secret information so, as indicated in Formula 137.

$\begin{matrix} {{\text{?}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{r}},{\text{?}:={{\left( {s_{1},\ldots,s_{L}} \right)T}:={M \cdot \text{?}}}},{s_{0}:=\text{?}}} & \left\lbrack {{Formula}137} \right\rbrack \end{matrix}$ ?indicates text missing or illegible when filed

The ciphertext generation unit 312 generates random numbers, as indicated in Formula 138.

$\begin{matrix} {\eta_{0},{\varsigma\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}} & \left\lbrack {{Formula}138} \right\rbrack \end{matrix}$

The ciphertext generation unit 312 generates a cipher element c₀, as indicated in Formula 139.

c ₀ :=c+

  [Formula 139]

The ciphertext generation unit 312 generates a session key K, as indicated in Formula 140.

K:=g _(T) ^(ζ)  [Formula 140]

The ciphertext generation unit 312 generates a cipher element ci for each integer i of i=1, . . . , L, as indicated in Formula 141.

  [Formula 141]  for i = 1, . . . , L,   if ρ(i) = (t, {right arrow over (v)}_(i) := (v_(i,1), . . . , v_(i,n) _(t) ) ∈

_(q) ^(n) ^(t) \{{right arrow over (0)}})(v_(i,n) _(t) ≠ 0),     $\theta_{i},{\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$     ${c_{i}:={({\overset{\overset{n_{i}}{︷}}{{s_{i}{\overset{\rightarrow}{e}}_{t,1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{i}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}})}_{{\mathbb{B}}_{t}}},$   if ρ(i) = ¬(t, {right arrow over (v)}_(i)),     ${\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$     $c_{i}:=\left. ({\overset{\overset{n_{t}}{︷}}{s_{i}{\overset{\rightarrow}{v}}_{i}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}} \right)_{{\mathbb{B}}_{t}}$

(Step S33: Output Process) The output unit 313 outputs the ciphertext ct_(S) including the attribute information S and the cipher element ci for each integer i of i=0, . . . , L generated in step S32, and the session K generated in step S32.

Specifically, the output unit 313 transmits the ciphertext ct_(S), via the communication interface 34, to the re-encryption device 50 and the decryption device 60. The output unit 313 writes the session key K in the memory 32.

That is, the encryption device 30 executes the Enc algorithm indicated in Formula 142.

[Formula 142]  Enc (pk,

 , := (M, ρ)):    ${\overset{\rightarrow}{f}\overset{U}{\leftarrow}{\mathbb{F}}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},{...},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},$    $\eta_{0},{\varsigma\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{c_{0}:={c + \left( {\varsigma,{- s_{0}},0,0,\eta_{0},0} \right)_{{\mathbb{B}}_{0}}}},{K:=g_{T}^{\varsigma}},$    for i = 1, . . . , L,    if ρ(i) = (t, {right arrow over (v)}_(i) := (v_(i,1), . . . , v_(i,n) _(t) ) ∈

_(q) ^(n) ^(t) \{{right arrow over (0)}})(v_(i,n) _(t) ≠ 0),      $\theta_{i},{\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$      ${c_{i}:={({\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{e}}_{t,1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}})}_{{\mathbb{B}}_{t}}},$   if ρ(i) = ¬(t, {right arrow over (v)}_(i)),     ${\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$     ${c_{i}:=\left. ({\overset{\overset{n_{t}}{︷}}{s_{i}{\overset{\rightarrow}{v}}_{i}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}} \right)_{{\mathbb{B}}_{t}}},$  return

 := ( 

 , {c_(i)}_(i=0, . . . ,L)), K.

Referring to FIG. 15 , operation of the re-encryption key generation device 40 according to the first embodiment will be described.

A procedure for the operation of the re-encryption key generation device 40 according to the first embodiment is equivalent to a re-encryption key generation method according to the first embodiment. A program that realizes the operation of the re-encryption key generation device 40 according to the first embodiment is equivalent to a re-encryption key generation program according to the first embodiment.

The re-encryption key generation device 40 executes the RKG algorithm.

(Step S41: Acquisition Process)

The acquisition unit 411 acquires the public key pk, the decryption key sk_(Γ), and attribute information S′:=(M, ρ).

Specifically, the acquisition unit 411 receives, via the communication interface 44, the public key pk transmitted by the common parameter generation device 10. The acquisition unit 411 receives, via the communication interface 44, the decryption key sk_(Γ) transmitted by the user secret key generation device 20. The acquisition unit 411 acquires the attribute information S′ that is input by a user or the like of the re-encryption key generation device 40 via the communication interface 14. The acquisition unit 411 writes the public key pk, the decryption key sk_(Γ), and the attribute information S′ in the memory 42.

The attribute information S′ indicates a range of attributes to be permitted to decrypt a re-encrypted ciphertext rct_(S′). Specifically, like the attribute information S, the attribute information S′ indicates the range of attributes to be permitted to decrypt the re-encrypted ciphertext rct_(S′), as a conditional expression using logical OR and logical AND.

(Step S42: Re-Encryption Key Generation Process)

The re-encryption key generation unit 412 generates the re-encryption key rk, using as input the public key pk, the decryption key sk_(Γ), and the attribute information S′ that are acquired in step S41.

Specifically, the re-encryption key generation unit 412 generates a random number, as indicated in Formula 143.

$\begin{matrix} {r\overset{U}{\longleftarrow}{\mathbb{F}}_{q}} & \left\lbrack {{Formula}143} \right\rbrack \end{matrix}$

The re-encryption key generation unit 412 generates a converted decryption key sk_(Γ) ^(˜), as indicated in Formula 144.

s{tilde over (k)} _(Γ):=(Γ,k* ₀ +rb* _(0,6) ,{k* _(t)}_((t,{right arrow over (x)}) _(t) _()∈Γ))

As a result, k*₀ included in the converted decryption key sk_(Γ) ^(˜) is as indicated in Formula 145.

k* ₀:=

  [Formula 145]

The re-encryption key generation unit 412 executes the Enc algorithm, using as input the public key pk and the attribute information S′, so as to generate a ciphertext ct_(S′) and a session key K′, as indicated in Formula 146.

(

,K′)←Enc(pk,

′)  [Formula 146]

That is, the re-encryption key generation unit 412 executes processes of step S32 of FIG. 14 , using as input the public key pk and the attribute information S′, so as to generate the ciphertext ct_(S′) and the session key K′.

(Step S43: Output Process)

The output unit 413 outputs, as the re-encryption key rk, the converted decryption key sk_(Γ) ^(˜), an element A^(r)·K′, and the ciphertext ct_(S′). The element A^(r)·K′ is obtained by multiplying an element A^(r), which is obtained from the element A and the random number r included in the pubic key pk, by the session key K′.

Specifically, the output unit 413 transmits the re-encryption key rk to the re-encryption device 50 via the communication interface 44.

That is, the re-encryption key generation device 40 executes the RKG algorithm indicated in Formula 147.

[Formula 147]  RKG(pk, sk_(Γ) := (Γ, k₀ ^(*),

 _(∈Γ), b_(0,6) ^(*)),

 := (M′, ρ′)):    ${r\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$   s{tilde over (k)}_(Γ) := ((Γ, k₀ ^(*) + rb_(0,6) ^(*),

 _(∈Γ)),   ( 

_(′), K′) ← Enc(pk,

 ′),  return rk := (s{tilde over (k)}_(Γ), A^(r) · K′,

 _(′)).

Referring to FIG. 16 , operation of the re-encryption device 50 according to the first embodiment will be described.

A procedure for the operation of the re-encryption device 50 according to the first embodiment is equivalent to a re-encryption method according to the first embodiment. A program that realizes the operation of the re-encryption device 50 according to the first embodiment is equivalent to a re-encryption program according to the first embodiment.

The re-encryption device 50 executes the REnc algorithm.

(Step S51: Ciphertext Acquisition Process)

The ciphertext acquisition unit 514 acquires the ciphertext ct_(S). That is, the ciphertext acquisition unit 514 acquires the ciphertext ct_(S) out of the session key K and the ciphertext ct_(S) in which the session key K is encrypted that are generated by the Enc algorithm, which is an encryption algorithm, using as input the attribute information S that defines the range to be permitted decryption.

Specifically, the ciphertext acquisition unit 514 receives, via the communication interface 54, the ciphertext ct_(S) transmitted by the encryption device 30. The ciphertext acquisition unit 514 writes the ciphertext ct_(S) in the memory 52.

(Step S52: Key Acquisition Process)

The key acquisition unit 515 acquires the re-encryption key rk. That is, the key acquisition unit 515 acquires the re-encryption key rk including the converted decryption key sk_(Γ) ^(˜) generated by setting the random number r in the decryption key sk_(Γ) with which the ciphertext ct_(S) can be decrypted, the session key K′ and the ciphertext ct_(S) in which the session key K′ is encrypted that are generated by the Enc algorithm, which is an encryption algorithm, using as input the attribute information S′ that defines the range to be permitted decryption, and conversion information A^(r) generated from the random number r. The key acquisition unit 515 also acquires the public key pk.

Specifically, the key acquisition unit 515 receives, via the communication interface 54, the public key pk transmitted by the common parameter generation device 10 and the re-encryption key rk transmitted by the re-encryption key generation device 40. The key acquisition unit 515 writes the public key pk and the re-encryption key rk in the memory 52.

(Step S53: Determination Process)

The re-encrypted ciphertext generation unit 512 determines whether the attribute information S, which is the access structure included in the ciphertext ct_(S), accepts the attribute information Γ included in the re-encryption key rk.

If it is accepted, the re-encrypted ciphertext generation unit 512 advances the process to step S54. If it is not accepted, the re-encrypted ciphertext generation unit 512 determines that a re-encrypted ciphertext rct_(S′) cannot be generated and terminates the process.

(Step S54: Re-Encrypted Ciphertext Generation Process)

The re-encrypted ciphertext generation unit 512 generates a re-encrypted ciphertext rct_(S′), using as input the ciphertext ct_(S) acquired in step S51 and the public key pk and the re-encryption key rk acquired in step S52.

Specifically, the re-encrypted ciphertext generation unit 512 generates decryption information K{circumflex over ( )} by decrypting the ciphertext ct_(S) with the converted decryption key sk_(Γ) ^(˜) included in the re-encryption key rk. The re-encrypted ciphertext generation unit 512 generates a cipher element K^(˜) by deleting the element related to the random number r from the decryption information K{circumflex over ( )} by the conversion information A^(r) and setting the session key K′.

This will be described more specifically.

The re-encrypted ciphertext generation unit 512 calculates an index I and a complementary coefficient {α_(i)}_(i∈I) indicated in Formula 148.

{right arrow over (1)}=Σ_(i∈i)α_(i) M _(i),

I⊆{i∈{1, . . . ,L}|[ρ(i)=(t,{right arrow over (v)} _(i))∧(t,{right arrow over (x)} _(t))∈Γ∧{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)=0]∨[ρ(i)=¬(t,{right arrow over (v)} _(i))∧(t,{right arrow over (x)} _(t))∈Γ∧{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)≠0]}  [Formula 148]

Note that M_(i) is an i-th row of the matrix M.

The re-encrypted ciphertext generation unit 512 generates the decryption information K{circumflex over ( )} by decrypting the ciphertext ct_(S) with the converted decryption key sk_(Γ) ^(˜), as indicated in Formula 149.

$\begin{matrix} {\hat{K}:={{e\left( {c_{0},k_{0}^{*}} \right)}\text{?}{e\left( {c_{i},k_{t}^{*}} \right)}^{\alpha_{i}}\text{?}{e\left( {c_{i},k_{t}^{*}} \right)}^{\alpha_{i}}\text{?}}} & \left\lbrack {{Formula}149} \right\rbrack \end{matrix}$ ?indicates text missing or illegible when filed

Then, the re-encrypted ciphertext generation unit 512 generates the cipher element K^(˜) by deleting the element related to the random number r from the decryption information K{circumflex over ( )} by the element A^(r)·K′ that includes the conversion information A^(r) and setting the session key K′. Specifically, the re-encrypted ciphertext generation unit 512 generates the cipher element K^(˜) by dividing the decryption information K{circumflex over ( )} by the element A^(r)·K′.

(Step S55: Output Process)

The output unit 513 outputs, as the re-encrypted ciphertext rct_(S′), the ciphertext ct_(S′) and the cipher element K^(˜).

Specifically, the output unit 513 transmits the re-encrypted ciphertext rct_(S′) to the decryption device 60 via the communication interface 54.

That is, the re-encryption device 50 executes the REnc algorithm indicated in Formula 150.

[Formula 150]  REnc(pk, rk := (s{tilde over (k)}_(Γ), A^(r) · K′,

 _(′)), := ( 

 , {c_(i)}_(i=0, . . . , L))):   If  

  accepts Γ then compute I and {α_(i)}_(i∈I) such that   {right arrow over (1)} = Σ_(i∈I) _(α) ^(i) _(M) ^(i) ,   I ⊆ {i ∈ {1, . . . , L}|[ρ(i) = (t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) = 0] ∨            [ρ(i) = ¬(t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) ≠ 0]},    ${\hat{K}:={{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}{{e\left( {c_{i},k_{t}^{*}} \right)}\alpha_{i}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {\neg{({t,{\overset{\rightarrow}{v}}_{i}})}}}{{e\left( {c_{i},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}},$   K := {circumflex over (K)} / A^(r) · K′,  return

 _(′) := ( 

 _(′) : = ( 

 ′, {c_(i)}_(i = 0, . . . , L)), {tilde over (K)}).

The re-encryption device 50 re-encrypts the ciphertext ct_(S) generated by the encryption device 30 and changes the range to be permitted decryption from the attribute information S to the attribute information S′ here. However, the re-encryption device 50 can also re-encrypt the re-encrypted ciphertext rct_(S′), and change the range to be permitted decryption.

In this case, in step S51 the ciphertext acquisition unit 514 may acquire, as the ciphertext ct_(S), the ciphertext ct_(S′) included in the re-encrypted ciphertext rct_(S′). The subsequent processes are the same as in the case where the ciphertext ct_(S) generated by the encryption device 30 is re-encrypted.

Referring to FIGS. 17 and 18 , operation of the decryption device 60 according to the first embodiment will be described.

A procedure for the operation of the decryption device 60 according to the first embodiment is equivalent to a decryption method according to the first embodiment. A program that realizes the operation of the decryption device 60 according to the first embodiment is equivalent to a decryption program according to the first embodiment.

The decryption device 60 executes the Dec algorithm.

Referring to FIG. 17 , processes when the ciphertext ct_(S) is decrypted according to the first embodiment will be described.

(Step S61: Acquisition Process)

The acquisition unit 611 acquires the public key pk, the decryption key sk_(Γ), and the ciphertext ct_(S).

Specifically, the acquisition unit 611 receives, via the communication interface 64, the public key pk transmitted by the common parameter generation device 10. The acquisition unit 611 receives, via the communication interface 64, the decryption key sk_(Γ) transmitted by the user secret key generation device 20. The acquisition unit 611 acquires, via the communication interface 64, the ciphertext ct_(S) transmitted by the encryption device 30. The acquisition unit 611 writes the public key pk, the decryption key sk_(Γ), and the ciphertext ct_(S) in the memory 62.

(Step S62: Determination Process)

The decryption unit 612 determines whether the attribute information S, which is the access structure included in the ciphertext ct_(S), accepts the attribute information Γ included in the decryption key sk_(Γ).

If it is accepted, the decryption unit 612 advances the process to step S63. If it is not accepted, the decryption unit 612 determines that the ciphertext ct_(S) cannot be decrypted and terminates the process.

(Step S63: Decryption Process)

The decryption unit 612 decrypts the ciphertext ct_(S) with the decryption key sk_(Γt) to generate the session key K.

Specifically, the decryption unit 612 calculates an index I and a complementary coefficient {α_(i)}_(i∈I) indicated in Formula 151.

{right arrow over (1)}=Σ_(i∈i)α_(i) M _(i),

I⊆{i∈{1, . . . ,L}|[ρ(i)=(t,{right arrow over (v)} _(i))∧(t,{right arrow over (x)} _(t))∈Γ∧{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)=0]∨[ρ(i)=¬(t,{right arrow over (v)} _(i))∧(t,{right arrow over (x)} _(t))∈Γ∧{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)≠0]}  [Formula 151]

Note that M_(i) is the i-th row of the matrix M.

The decryption unit 612 calculates Formula 152 to generate the session key K.

$\begin{matrix} {K:={{e\left( {c_{0},k_{0}^{*}} \right)}\text{?}{e\left( {c_{i},k_{t}^{*}} \right)}^{\alpha_{i}}\text{?}{e\left( {c_{i},k_{t}^{*}} \right)}^{\alpha_{i}}\text{?}}} & \left\lbrack {{Formula}152} \right\rbrack \end{matrix}$ ?indicates text missing or illegible when filed

That is, the decryption device 60 executes the Dec algorithm indicated in Formula 153.

[Formula 153]  Dec(pk, sk_(Γ) := (Γ, k₀ ^(*),

 _(∈Γ)),

 := ( 

 , {c_(i)}_(i=0, . . . ,L))):   If  

  accepts Γ then compute I and {α_(i)}_(i∈I) such that   {right arrow over (1)} = Σ_(i∈I) _(α) ^(i) _(M) ^(i) ,   I ⊆ {i ∈ {1, . . . , L}|[ρ(i) = (t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) = 0] ∨            [ρ(i) = ¬(t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) ≠ 0]},    ${K:={{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}{{e\left( {c_{i},k_{t}^{*}} \right)}\alpha_{i}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {\neg{({t,{\overset{\rightarrow}{v}}_{i}})}}}{{e\left( {c_{i},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}},$  return K.

Referring to FIG. 18 , processes when the re-encrypted ciphertext rets' is decrypted according to the first embodiment will be described.

(Step S71: Acquisition Process)

The acquisition unit 611 acquires the public key pk, the decryption key sk_(Γ′), and the re-encrypted ciphertext rct_(S′). It is assumed here that attribute information that is accepted by the access structure, which is the attribute information S′, is attribute information Γ′, and that a decryption key generated using as input the attribute information Γ′ is the decryption key sk_(Γ′).

Specifically, the acquisition unit 611 receives, via the communication interface 64, the public key pk transmitted by the common parameter generation device 10. The acquisition unit 611 receives, via the communication interface 64, the decryption key sk_(Γ′) transmitted by the user secret key generation device 20. The acquisition unit 611 receives, via the communication interface 64, the re-encrypted ciphertext rct_(S′) generated by the re-encryption device 50. The acquisition unit 611 writes the public key pk, the decryption key sk_(Γ′), and the re-encrypted ciphertext rct_(S′), in the memory 62.

(Step S72: Determination Process)

The decryption unit 612 determines whether the attribute information S′, which is the access structure included in the re-encrypted ciphertext rct_(S′), accepts the attribute information Γ′ included in the decryption key sk_(Γ′).

If it is accepted, the decryption unit 612 advances the process to step S73. If it is not accepted, the decryption unit 612 determines that the re-encrypted ciphertext rct_(S′) cannot be decrypted and terminates the process.

(Step S73: Decryption Process)

The decryption unit 612 decrypts the re-encrypted ciphertext rct_(S′) with the decryption key sk_(Γ′) to generate the session key K.

Specifically, the decryption unit 612 decrypts the ciphertext ct_(S′) included in the re-encrypted ciphertext rct_(S′) with the decryption key sk_(Γ′) to generate the session key K′, and generates the session key K from the cipher element K^(˜) included in the re-encrypted ciphertext rct_(S′) and the session key K′.

This will be described more specifically.

The re-encrypted ciphertext rct_(S′) is decrypted with the decryption key sk_(Γ′) to generate the session key K.

Specifically, the decryption unit 612 calculates an index I and a complementary coefficient {α_(i)}_(i∈I) indicated in Formula 154.

{right arrow over (1)}=Σ_(i∈i)α_(i) M _(i),

I⊆{i∈{1, . . . ,L}|[ρ(i)=(t,{right arrow over (v)} _(i))∧(t,{right arrow over (x)} _(t))∈Γ∧{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)=0]∨[ρ(i)=¬(t,{right arrow over (v)} _(i))∧(t,{right arrow over (x)} _(t))∈Γ∧{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)≠0]}  [Formula 154]

Note that Mi is the i-th row of the matrix M.

The decryption unit 612 calculates Formula 155 to generate the session key K′.

$\begin{matrix} {K^{\prime}:={{e\left( {c_{0},k_{0}^{*}} \right)}\text{?}{e\left( {c_{i},k_{t}^{*}} \right)}^{\alpha_{i}}\text{?}{e\left( {c_{i},k_{t}^{*}} \right)}^{\alpha_{i}}\text{?}}} & \left\lbrack {{Formula}155} \right\rbrack \end{matrix}$ ?indicates text missing or illegible when filed

The decryption unit 612 multiplies the cipher element K^(˜) by the session key K′ to generate the session key K.

That is, the decryption device 60 executes the Dec algorithm indicated in Formula 156.

[Formula 156]  Dec(pk, sk_(Γ′) := (Γ′, k₀ ^(*),

 _(∈Γ)),

 ′ := (

 ′, {c_(i)}_(i=0, . . . ,L)), {tilde over (K)} )):   If  

  accepts Γ then compute I and {α_(i)}_(i∈I) such that   {right arrow over (1)} = Σ_(i∈I) _(α) ^(i) _(M) ^(i) ,   I ⊆ {i ∈ {1, . . . , L}|[ρ(i) = (t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) = 0] ∨            [ρ(i) = ¬(t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) ≠ 0]},    ${K^{\prime}:={{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}{{e\left( {c_{i},k_{t}^{*}} \right)}\alpha_{i}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {\neg{({t,{\overset{\rightarrow}{v}}_{i}})}}}{{e\left( {c_{i},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}},$   K := {circumflex over (K)} · K′,  return K.

Effects of the First Embodiment

As described above, the cryptographic system 100 according to the first embodiment generates the re-encrypted ciphertext rct_(S′) that includes as essential elements only the ciphertext ct_(S′) and the cipher element K^(˜). Even when the cryptographic system 100 according to the first embodiment re-encrypts the re-encrypted ciphertext rct_(S′), essential elements of the re-encrypted ciphertext rct_(S′) are only the ciphertext ct_(S′) and the cipher element K^(˜). That is, even if re-encryption is repeated, essential elements will not increase.

Therefore, it is possible to make the data size of a ciphertext generated by re-encryption not dependent on the number of times re-encryption is performed.

***Other Configurations***

<First Variation>

In the first embodiment, the functional components are realized by software. However, as a first variation, the functional components may be realized by hardware. With regard to this first variation, differences from the first embodiment will be described.

A configuration of the common parameter generation device 10 according to the first variation will be described.

When the functional components are realized by hardware, the common parameter generation device 10 includes an electronic circuit 15 in place of the processor 11, the memory 12, and the storage 13. The electronic circuit 15 is a dedicated circuit that realizes the functions of the functional components, the memory 12, and the storage 13.

A configuration of the user secret key generation device 20 according to the first variation will be described.

When the functional components are realized by hardware, the user secret key generation device 20 includes an electronic circuit 25 in place of the processor 21, the memory 22, and the storage 23. The electronic circuit 25 is a dedicated circuit that realizes the functions of the functional components, the memory 22, and the storage 23.

A configuration of the encryption device 30 according to the first variation will be described.

When the functional components are realized by hardware, the encryption device 30 includes an electronic circuit 35 in place of the processor 31, the memory 32, and the storage 33. The electronic circuit 35 is a dedicated circuit that realizes the functions of the functional components, the memory 32, and the storage 33.

A configuration of the re-encryption key generation device 40 according to the first variation will be described.

When the functional components are realized by hardware, the re-encryption key generation device 40 includes an electronic circuit 45 in place of the processor 41, the memory 42, and the storage 43. The electronic circuit 45 is a dedicated circuit that realizes the functions of the functional components, the memory 42, and the storage 43.

A configuration of the re-encryption device 50 according to the first variation will be described.

When the functional components are realized by hardware, the re-encryption device 50 includes an electronic circuit 55 in place of the processor 51, the memory 52, and the storage 53. The electronic circuit 55 is a dedicated circuit that realizes the functions of the functional components, the memory 52, and the storage 53.

A configuration of the decryption device 60 according to the first variation will be described.

When the functional components are realized by hardware, the decryption device 60 includes an electronic circuit 65 in place of the processor 61, the memory 62, and the storage 63. The electronic circuit 65 is a dedicated circuit that realizes the functions of the functional components, the memory 62, and the storage 63.

Each of the electronic circuits 15, 25, 35, 45, 55, and 65 is assumed to be a single circuit, a composite circuit, a programmed processor, a parallel-programmed processor, a logic IC, a gate array (GA), an application specific integrated circuit (ASIC), or a field-programmable gate array (FPGA).

The respective functional components may be realized by one electronic circuit 15, one electronic circuit 25, one electronic circuit 35, one electronic circuit 45, one electronic circuit 55, and one electronic circuit 65, or the respective functional components may be distributed among and realized by a plurality of electronic circuits 15, a plurality of electronic circuits 25, a plurality of electronic circuits 35, a plurality of electronic circuits 45, a plurality of electronic circuits 55, and a plurality of electronic circuits 65.

<Second Variation>

As a second variation, some of the functional components may be realized by hardware, and the rest of the functional components may be realized by software.

Each of the processors 11, 21, 31, 41, 51, 61, the memories 12, 22, 32, 42, 52, 62, the storages 13, 23, 33, 43, 53, 63, and the electronic circuits 15, 25, 35, 45, 55, 65 is referred to as processing circuitry. That is, the functions of the functional components are realized by the processing circuitry.

REFERENCE SIGNS LIST

100: cryptographic system, 10: common parameter generation device, 11: processor, 12: memory, 13: storage, 14: communication interface, 15: electronic circuit, 111: acquisition unit, 112: parameter generation unit, 113: output unit, 20: user secret key generation device, 21: processor, 22: memory, 23: storage, 24: communication interface, 25: electronic circuit, 211: acquisition unit, 212: user secret key generation unit, 213: output unit, 30: encryption device, 31: processor, 32: memory, 33: storage, 34: communication interface, 35: electronic circuit, 311: acquisition unit, 312: ciphertext generation unit, 313: output unit, 40: re-encryption key generation device, 41: processor, 42: memory, 43: storage, 44: communication interface, 45: electronic circuit, 411: acquisition unit, 412: re-encryption key generation unit, 413: output unit, 50: re-encryption device, 51: processor, 52: memory, 53: storage, 54: communication interface, 55: electronic circuit, 511: acquisition unit, 512: re-encrypted ciphertext generation unit, 513: output unit, 514: ciphertext acquisition unit, 515: key acquisition unit, 60: decryption device, 61: processor, 62: memory, 63: storage, 64: communication interface, 65: electronic circuit, 611: acquisition unit, 612: decryption unit, 613: output unit. 

1. A re-encryption device comprising processing circuitry to: acquire a ciphertext ct_(S) out of a session K and the ciphertext ct_(S) in which the session key K is encrypted that are generated by an encryption algorithm using as input attribute information S that defines a range to be permitted decryption; acquire a re-encryption key rk including a converted decryption key sk_(Γ) ^(˜) that is generated by setting a random number r in a decryption key sk_(Γ) with which the ciphertext ct_(S) can be decrypted, a session key K′ and a ciphertext ct_(S)′ in which the session key K′ is encrypted that are generated by the encryption algorithm using as input attribute information S′ that defines a range to be permitted decryption, and conversion information that is generated from the random number r; generate a cipher element K^(˜) by deleting an element related to the random number r by the conversion information from decryption information K{circumflex over ( )} and setting the session key K′, the decryption information K{circumflex over ( )} being obtained by decrypting the ciphertext ct_(S) with the converted decryption key sk_(Γ) ^(˜) included in the re-encryption key rk; and output a re-encrypted ciphertext rct_(S)′ including the cipher element K^(˜) and the ciphertext ct_(S)′.
 2. The re-encryption device according to claim 1, wherein the ciphertext ct_(S) includes a cipher element c₀, which is a vector in a basis B₀, wherein the decryption key sk_(Γ) includes a key element k*₀, which is a vector in a basis B*₀, wherein the converted decryption key sk_(Γ) ^(˜) is generated by setting the random number r in a certain basis vector of the basis B*₀, wherein the conversion information is obtained by multiplying an element A by the random number r, the element A being obtained by performing a pairing operation on an element of the basis B₀ and an element of the basis B*₀, and wherein the processing circuitry generates the decryption information K{circumflex over ( )} by performing a pairing operation on a cipher element c of the ciphertext ct_(S) and a key element k* of the converted decryption key sk_(Γ) ^(˜), and generates the session key K by dividing the decryption information K{circumflex over ( )} by the conversion information.
 3. The re-encryption device according to claim 1, wherein the processing circuitry acquires the ciphertext ct_(S) indicated in Formula 1, acquires the re-encryption key rk indicated in Formula 2, and generates the cipher element K^(˜) indicated in Formula 3 [Formula 1]

 = ( 

 := (M, ρ), {c_(i)}_(i=0, . . . ,L)) → Enc(pk,

 := (M, ρ)) where  Enc(pk,

 := (M, ρ)):    ${\overset{\rightarrow}{f}\overset{U}{\leftarrow}{\mathbb{F}}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},{...},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},$    $\eta_{0},{\varsigma\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{c_{0}:={c + \left( {\varsigma,{- s_{0}},0,0,\eta_{0},0} \right)_{{\mathbb{B}}_{0}}}},$    for i = 1, . . . , L,     if ρ(i) = (t, {right arrow over (v)}_(i) := (v_(i,1), . . . , v_(i,n) _(t) ) ∈

_(q) ^(n) ^(t) \{{right arrow over (0)}})(v_(i,n) _(t) ≠ 0),       $\theta_{i},{\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$       ${c_{i}:={({\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{e}}_{t,1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{i}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}})}_{{\mathbb{B}}_{t}}},$     if ρ(i) = ¬(t, {right arrow over (v)}_(i)),       ${\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$       ${c_{i}:=\left. ({\overset{\overset{n_{t}}{︷}}{s_{i}{\overset{\rightarrow}{v}}_{i}},\overset{\overset{n_{i}}{︷}}{0^{n_{t}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}} \right)_{{\mathbb{B}}_{i}}},$  return

 := ( 

, {c_(i)}_(i=0, . . . ,L)), K [Formula 2]  rk := (s{tilde over (k)}_(Γ). A^(r) · K′,

 _(′))  where   s{tilde over (k)}_(Γ) := (Γ, k₀ ^(*) + rb_(0,6) ^(*),

 _(∈Γ)),    k₀ ^(*):=

    ${k_{t}^{*}:={{\left. ({\overset{\overset{n_{t}}{︷}}{\delta{\overset{\rightarrow}{x}}_{t}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{i}}{︷}}{{\overset{\rightarrow}{\varphi}}_{t}},\overset{\overset{1}{︷}}{0}} \right)_{{\mathbb{B}}_{t}^{*}}{for}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}},$     $\delta,\varphi_{0},{r\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{{{\overset{\rightarrow}{\varphi}}_{t}\overset{U}{\leftarrow}{{\mathbb{F}}_{q}^{n_{t}}{}{{for}{}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)}}} \in \Gamma},$    ( 

 _(′)), K′), → Enc(pk,

 ′) [Formula 3]  {tilde over (K)} := {circumflex over (K)}/A^(r) · K′,  where    ${\hat{K}:={{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}{{e\left( {c_{i},k_{t}^{*}} \right)}\alpha_{i}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {\neg{({t,{\overset{\rightarrow}{v}}_{i}})}}}{{e\left( {c_{i},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}},$   {right arrow over (1)} = Σ_(i∈I) _(α) ^(i) _(M) ^(i) ,   I ⊆ {i ∈ {1, . . . , L}|[ρ(i) = (t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) = 0] ∨            [ρ(i) = ¬(t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) ≠ 0]},   M_(i) is i-th row of M.


4. A cryptographic system comprising: an encryption device to generate a ciphertext ct_(S) out of a session key K and the ciphertext ct_(S) in which the session key K is encrypted that are generated by an encryption algorithm using as input attribute information S that defines a range to be permitted decryption; a re-encryption key generation device to generate a re-encryption key rk including a converted decryption key sk_(Γ) ^(˜) that is generated by setting a random number r in a decryption key sk_(Γ) with which the ciphertext ct_(S) can be decrypted, a session key K′ and a ciphertext ct_(S)′ in which the session key K′ is encrypted that are generated by the encryption algorithm using as input attribute information S′ that defines a range to be permitted decryption, and conversion information that is generated from the random number r; and a re-encryption device to generate a cipher element K^(˜) by deleting an element related to the random number r by the conversion information from decryption information K{circumflex over ( )} and setting the session key K′, the decryption information K{circumflex over ( )} being obtained by decrypting the ciphertext ct_(S) with the converted decryption key sk_(Γ)˜included in the re-encryption key rk, and output a re-encrypted ciphertext rct_(S′) including the cipher element K^(˜) and the ciphertext ct_(S′).
 5. The cryptographic system according to claim 4, wherein the ciphertext ct_(S) includes a cipher element c₀, which is a vector in a basis B₀, wherein the decryption key sk_(Γ) includes a key element k*₀, which is a vector in a basis B*₀, wherein the converted decryption key sk_(Γ) ^(˜) is generated by setting the random number r in a certain basis vector of the basis B*₀, wherein the conversion information is obtained by multiplying an element A by the random number r, the element A being obtained by performing a pairing operation on an element of the basis B₀ and an element of the basis B*₀, and wherein the re-encryption device generates the decryption information K{circumflex over ( )} by performing a pairing operation on a cipher element c of the ciphertext ct_(S) and a key element k* of the converted decryption key sk_(Γ) ^(˜), and generates the session key K by dividing the decryption information K{circumflex over ( )} by the conversion information.
 6. The cryptographic system according to claim 4, wherein the encryption device generates the ciphertext ct_(S) indicated in Formula 4, wherein the re-encryption key generation device generates the re-encryption key rk indicated in Formula 5, and wherein the re-encryption device generates the cipher element K^(˜) indicated in Formula 6 [Formula 4]  

 = ( 

 := (M, ρ), {c_(i)}_(i=0, . . . ,L)) → Enc(pk,  

 := (M, ρ))  where   Enc(pk,  

 := (M, ρ)):     ${\overset{\rightarrow}{f}\overset{U}{\leftarrow}{\mathbb{F}}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},{...},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},$     $\eta_{0},{\varsigma\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{c_{0}:={c + \left( {\varsigma,{- s_{0}},0,0,\eta_{0},0} \right)_{{\mathbb{B}}_{0}}}},$    for i = 1, . . . , L,     if ρ(i) = (t, {right arrow over (v)}_(i) := (v_(i,1), . . . , v_(i,n) _(t) ) ∈

_(q) ^(n) ^(t) \{{right arrow over (0)}})(v_(i,n) _(t) ≠ 0),       $\theta_{i},{\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$       ${c_{i}:={({\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{e}}_{t,1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},\overset{\overset{n_{i}}{︷}}{0^{n_{t}}},\overset{\overset{n_{i}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}})}_{{\mathbb{B}}_{t}}},$     if ρ(i) = ¬(t, {right arrow over (v)}_(i)),       ${\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$       ${c_{i}:=\left. ({\overset{\overset{n_{t}}{︷}}{s_{i}{\overset{\rightarrow}{v}}_{i}},\overset{\overset{n_{i}}{︷}}{0^{n_{t}}},\overset{\overset{n_{i}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}} \right)_{{\mathbb{B}}_{i}}},$   return

 := ( 

, {c_(i)}_(i=0, . . . ,L)), K [Formula 5]  rk := (s{tilde over (k)}_(Γ). A^(r) · K′,

 _(′))  where   s{tilde over (k)}_(Γ) := (Γ, k₀ ^(*) + rb_(0,6) ^(*),

 _(∈Γ)),   k₀ ^(*):=

   ${k_{t}^{*}:={{\left. ({\overset{\overset{n_{t}}{︷}}{\delta{\overset{\rightarrow}{x}}_{t}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{t}}{︷}}{{\overset{\rightarrow}{\varphi}}_{t}},\overset{\overset{1}{︷}}{0}} \right)_{{\mathbb{B}}_{t}^{*}}{for}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}},$    $\delta,\varphi_{0},{r\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{{{\overset{\rightarrow}{\varphi}}_{t}\overset{U}{\leftarrow}{{\mathbb{F}}_{q}^{n_{t}}{}{{for}{}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)}}} \in \Gamma},$   ( 

 _(′)), K′), → Enc(pk,

 ′) [Formula 6]  {tilde over (K)} := {circumflex over (K)}/A^(r) · K′,  where    ${\hat{K}:={{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}{{e\left( {c_{i},k_{t}^{*}} \right)}\alpha_{i}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {\neg{({t,{\overset{\rightarrow}{v}}_{i}})}}}{{e\left( {c_{i},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}},$   {right arrow over (1)} = Σ_(i∈I) _(α) ^(i) _(M) ^(i) ,   I ⊆ {i ∈ {1, . . . , L}|[ρ(i) = (t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) = 0] ∨            [ρ(i) = ¬(t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) ≠ 0]}, M_(i) is i-th row of M.


7. The cryptographic system according to claim 6, further comprising a decryption device to decrypt the ciphertext ct_(S)′ included in the re-encrypted ciphertext rct_(S)′ with a decryption key sk_(Γ′) so as to generate the session key K′, and generate the session key K from a cipher element K^(˜) included in the re-encrypted ciphertext rct_(S)′ and the session key K′.
 8. The cryptographic system according to claim 7, wherein the decryption device generates the session key K indicated in Formula 7 K:={tilde over (K)}·K′.  [Formula 7]
 9. A re-encryption method comprising: acquiring a ciphertext ct_(S) out of a session K and the ciphertext ct_(S) in which the session key K is encrypted that are generated by an encryption algorithm using as input attribute information S that defines a range to be permitted decryption; acquiring a re-encryption key rk including a converted decryption key sk_(Γ) ^(˜) that is generated by setting a random number r in a decryption key sk_(Γ) with which the ciphertext ct_(S) can be decrypted, a session key K′ and a ciphertext ct_(S)′ in which the session key K′ is encrypted that are generated by the encryption algorithm using as input attribute information S′ that defines a range to be permitted decryption, and conversion information that is generated from the random number r; generating a cipher element K^(˜) by deleting an element related to the random number r by the conversion information from decryption information K{circumflex over ( )} and setting the session key K′, the decryption information K{circumflex over ( )} being obtained by decrypting the ciphertext ct_(S) with the converted decryption key sk_(Γ) ^(˜) included in the re-encryption key rk; and outputting a re-encrypted ciphertext rct_(S)′ including the cipher element K^(˜) and the ciphertext ct_(S)′.
 10. A non-transitory computer readable medium storing a re-encryption program that causes a computer to function as a re-encryption device to perform: a ciphertext acquisition process of acquiring a ciphertext ct_(S) out of a session K and the ciphertext ct_(S) in which the session key K is encrypted that are generated by an encryption algorithm using as input attribute information S that defines a range to be permitted decryption; a key acquisition process of acquiring a re-encryption key rk including a converted decryption key sk_(Γ) ^(˜) that is generated by setting a random number r in a decryption key sk_(Γ) with which the ciphertext ct_(S) can be decrypted, a session key K′ and a ciphertext ct_(S)′ in which the session key K′ is encrypted that are generated by the encryption algorithm using as input attribute information S′ that defines a range to be permitted decryption, and conversion information that is generated from the random number r; a re-encrypted ciphertext generation process of generating a cipher element K^(˜) by deleting an element related to the random number r by the conversion information from decryption information K{circumflex over ( )} and setting the session key K′, the decryption information K{circumflex over ( )} being obtained by decrypting the ciphertext ct_(S) with the converted decryption key sk_(Γ) ^(˜) included in the re-encryption key rk; and an output process of outputting a re-encrypted ciphertext rct_(S)′ including the cipher element K^(˜) and the ciphertext ct_(S)′.
 11. The re-encryption device according to claim 2, wherein the processing circuitry acquires the ciphertext ct_(S) indicated in Formula 8, acquires the re-encryption key rk indicated in Formula 9, and generates the cipher element K^(˜) indicated in Formula 10 [Formula 8]  

 = ( 

 := (M, ρ), {c_(i)}_(i=0, . . . ,L)) → Enc(pk,

 := (M, ρ))  where   Enc(pk,  

 := (M, ρ)):     ${\overset{\rightarrow}{f}\overset{U}{\leftarrow}{\mathbb{F}}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},{...},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},$     $\eta_{0},{\varsigma\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{c_{0}:={c + \left( {\varsigma,{- s_{0}},0,0,\eta_{0},0} \right)_{{\mathbb{B}}_{0}}}},$    for i = 1, . . . , L,     if ρ(i) = (t, {right arrow over (v)}_(i) := (v_(i,1), . . . , v_(i,n) _(t) ) ∈

_(q) ^(n) ^(t) \{{right arrow over (0)}})(v_(i,n) _(t) ≠ 0),       $\theta_{i},{\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$      ${c_{i}:={({\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{e}}_{t,1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},\overset{\overset{n_{i}}{︷}}{0^{n_{t}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}})}_{{\mathbb{B}}_{t}}},$    if ρ(i) = ¬(t, {right arrow over (v)}_(i)),      ${\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$      ${c_{i}:=\left. ({\overset{\overset{n_{i}}{︷}}{s_{i}{\overset{\rightarrow}{v}}_{i}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{i}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}} \right)_{{\mathbb{B}}_{i}}},$   return

 := (

, {c_(i)}_(i=0, . . . ,L)), K [Formula 9]  rk := (s{tilde over (k)}_(Γ). A^(r) · K′,

 _(′))  where   s{tilde over (k)}_(Γ) := (Γ, k₀ ^(*) + rb_(0,6) ^(*),

 _(∈Γ)),   k₀ ^(*):=

   ${k_{t}^{*}:={{\left. ({\overset{\overset{n_{i}}{︷}}{\delta{\overset{\rightarrow}{x}}_{t}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{i}}{︷}}{{\overset{\rightarrow}{\varphi}}_{t}},\overset{\overset{1}{︷}}{0}} \right)_{{\mathbb{B}}_{t}^{*}}{for}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}},$    $\delta,\varphi_{0},{r\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{{{\overset{\rightarrow}{\varphi}}_{t}\overset{U}{\leftarrow}{{\mathbb{F}}_{q}^{n_{t}}{}{{for}{}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)}}} \in \Gamma},$   ( 

 _(′)), K′), → Enc(pk,

 ′) [Formula 10]  {tilde over (K)} := {circumflex over (K)}/A^(r) · K′,  where    ${\hat{K}:={{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}{{e\left( {c_{i},k_{t}^{*}} \right)}\alpha_{i}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {\neg{({t,{\overset{\rightarrow}{v}}_{i}})}}}{{e\left( {c_{i},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}},$   {right arrow over (1)} = Σ_(i∈I) _(α) ^(i) _(M) ^(i) ,   I ⊆ {i ∈ {1, . . . , L}|[ρ(i) = (t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) = 0] ∨            [ρ(i) = ¬(t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) ≠ 0]}, M_(i) is i-th row of M.


12. The cryptographic system according to claim 5, wherein the encryption device generates the ciphertext ct_(S) indicated in Formula 11, wherein the re-encryption key generation device generates the re-encryption key rk indicated in Formula 12, and wherein the re-encryption device generates the cipher element K^(˜) indicated in Formula 13 [Formula 11]  

 = ( 

 := (M, ρ), {c_(i)}_(i=0, . . . ,L)) → Enc(pk,

 := (M, ρ))  where   Enc(pk,  

 := (M, ρ)):     ${\overset{\rightarrow}{f}\overset{U}{\leftarrow}{\mathbb{F}}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},{...},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},$     $\eta_{0},{\varsigma\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{c_{0}:={c + \left( {\varsigma,{- s_{0}},0,0,\eta_{0},0} \right)_{{\mathbb{B}}_{0}}}},$    for i = 1, . . . , L,     if ρ(i) = (t, {right arrow over (v)}_(i) := (v_(i,1), . . . , v_(i,n) _(t) ) ∈

_(q) ^(n) ^(t) \{{right arrow over (0)}})(v_(i,n) _(t) ≠ 0),       $\theta_{i},{\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$       ${c_{i}:={({\overset{\overset{n_{t}}{︷}}{{s_{i}{\overset{\rightarrow}{e}}_{t,1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},\overset{\overset{n_{t}}{︷}}{0^{n_{i}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}})}_{{\mathbb{B}}_{t}}},$     if ρ(i) = ¬(t, {right arrow over (v)}_(i)),       ${\eta_{i}\overset{U}{\leftarrow}{\mathbb{F}}_{q}},$       ${c_{i}:=\left. ({\overset{\overset{n_{t}}{︷}}{s_{i}{\overset{\rightarrow}{v}}_{i}},\overset{\overset{n_{i}}{︷}}{0^{n_{i}}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{1}{︷}}{\eta_{i}}} \right)_{{\mathbb{B}}_{t}}},$   return

 := ( 

, {c_(i)}_(i=0, . . . ,L)), K [Formula 12]  rk := (s{tilde over (k)}_(Γ), A^(r) · K′,

 _(′))  where   s{tilde over (k)}_(Γ) := (Γ, k₀ ^(*) + rb_(0,6) ^(*),

 _(∈Γ)),   k₀ ^(*):=

   ${k_{t}^{*}:={{{\left. ({\overset{\overset{n_{t}}{︷}}{\delta{\overset{\rightarrow}{x}}_{t}},\overset{\overset{n_{t}}{︷}}{0^{n_{t}}},\overset{\overset{n_{t}}{︷}}{{\overset{\rightarrow}{\varphi}}_{t}},\overset{\overset{1}{︷}}{0}} \right)}_{{\mathbb{B}}_{t}^{*}}{for}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}},$    $\delta,\varphi_{0},{r\overset{U}{\leftarrow}{\mathbb{F}}_{q}},{{{\overset{\rightarrow}{\varphi}}_{t}\overset{U}{\leftarrow}{{\mathbb{F}}_{q}^{n_{t}}{}{{for}{}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)}}} \in \Gamma},$   ( 

 _(′)), K′), → Enc(pk,

 ′) [Formula 13]  {tilde over (K)} := {circumflex over (K)}/A^(r) · K′,  where    ${\hat{K}:={{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}{{e\left( {c_{i},k_{t}^{*}} \right)}\alpha_{i}{\prod\limits_{{{i \in I} \land {\rho(i)}} = {\neg{({t,{\overset{\rightarrow}{v}}_{i}})}}}{{e\left( {c_{i},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}},$   {right arrow over (1)} = Σ_(i∈I) _(α) ^(i) _(M) ^(i) ,   I ⊆ {i ∈ {1, . . . , L}|[ρ(i) = (t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) = 0] ∨            [ρ(i) = ¬(t, {right arrow over (v)}_(i)) ∧ (t, {right arrow over (x)}_(t)) ∈ Γ ∧ {right arrow over (v)}_(i) · {right arrow over (x)}_(t) ≠ 0]},   M_(i) is i-th row of M.


13. The cryptographic system according to claim 12, further comprising a decryption device to decrypt the ciphertext ct_(S′) included in the re-encrypted ciphertext rct_(S)′ with a decryption key sk_(Γ′) so as to generate the session key K′, and generate the session key K from a cipher element K^(˜) included in the re-encrypted ciphertext rct_(S′) and the session key K′.
 14. The cryptographic system according to claim 13, wherein the decryption device generates the session key K indicated in Formula 14 K:={tilde over (K)}·K′.  [Formula 14] 